UAC Bypass – Fodhelper

Windows 10 environments allow users to manage language settings for a variety of Windows features such as typing, text to speech etc. When a user is requesting to open “Manage Optional Features” in Windows Settings in order to make a language change a process is created under the name fodhelper.exe. This process is running as high integrity due to the fact the it has the binary has the autoelevate setting to “true”.

This can be verified by checking the Event Properties of the process:

Fodhelper – Running as High Integrity Process

However processes that are running with higher privileges can give the opportunity to an attacker to execute code with the same level of privileges if they can be abused in a certain way. Specifically winscripting discovered that the “fodhelper” process when it starts it tries to find some registry keys which doesn’t exist.

The following checks are performed in the registry upon start of fodhelper.exe:

Since these registry entries doesn’t exist a user can create this structure in the registry in order to manipulate fodhelper to execute a command with higher privileges bypassing the User Account Contol (UAC).

C:\Windows\System32\cmd.exe /c powershell.exe

Fodhelper – Creating the Registry Structure Manually

When “Manage Optional Features” or “fodhelper.exe” runs again the command will be executed and an elevated PowerShell session will open:

Fodhelper – Elevated PowerShell

In order to automate this process winscripting developed a powershell script that can perform the bypass in three steps: